Bad news for anyone who was hoping “chip” debit and credit cards would save us from ATM hacking. We still have a long way to go.
The number of debit and credit cards that were compromised at U.S. ATMs and stores rose 70% in 2016, according to an analysis by the analytics and data company Fair Isaac Corporation (FICO). The company works with financial institutions to alert them about potentially compromised cards and analyzed all of the hundreds of thousands of ATMs and card readers it monitors to find out how widespread fraud was last year. The number of times ATMs and merchant devices were compromised also rose 30%. (That said, it was better than 2015, when the number of times increased more than 500%).
Although merchants and ATMs have been gradually upgraded to require EMV, or “chip” cards, many merchants and ATM owners have still not done so, said TJ Horan, vice president of fraud solutions at FICO. EMV stands for “Europay, MasterCard and Visa,” three companies that collaborated to create the technology. These kinds of cards, experts say, cut down on fraud because many fraudsters attempt to copy credit cards with magnetic stripes by placing “skimmers” on devices where they are swiped. Cards with chips create a unique code banks use during every transaction to verify the payment, so they are not vulnerable to skimming in the same way.
Why the bank of the future will look like an Apple store
As e-banking technology has improved, the number of bank branches is expected to fall by a third in the next decade. But rather than get rid of branches altogether, banks are trying to give them makeovers to get customers to still come in.
Oct. 1, 2015, was the first day of a “liability” shift for credit cards; it meant that the party that hadn’t switched to chip card technology (either the financial institution that issued a card, or a merchant) would become liable for counterfeit fraud on that card. And starting Oct. 1, 2016,that responsibility also fell on owners of ATMs who haven’t made the shift to chip cards. But the deadline for switching to EMV technology on automatic gas pumps isn’t until October 2020, meaning gas pumps are one spot at risk of being tampered with, Horan said. During this transition period, technology for creating skimming devices has become better and cheaper, Horan said.
There was some good news in the report. Technology for detecting hacked ATMs and merchants has also improved. As a result, in 2016, the average amount of time an ATM or merchant device was compromised was 11 days, down from 14 days in 2015.
There are warnings signs for consumers. Horan said people should be wary of any ATMs or merchants’ devices that are hard to fit a card into. Those may be compromised with skimmers, he said. Consumers should frequently check their bank and credit card accounts to be sure they don’t see any fraudulent charges, said Adam Levin, the chairman and co-founder of Credit.com and the author of “Swiped,” a book about scamming and identity theft. He also suggested signing up for email and text-message alerts from financial institutions; some will notify consumers every single time they make a payment, which can make keeping track of transactions easier.
Some banks are updating their ATMs so customers can actually log into them using their smartphone. In other words, no card is required to access them, in another attempt to cut down on fraud. BMO Harris Bank and some locations for Bank of America BAC, -0.08% , Wells Fargo WFC, -0.48% and Chase JPM, -1.13% all have this feature. Near-field communication (NFC) technology that makes those transactions work is known for being safer because not only are consumers not swiping a card that could be skimmed, but the transaction, similar to an EMV card, creates a unique “token” that the bank never uses again to authenticate a purchase.
“That’s where we’re going, but until then, check your accounts,” Levin said.